b'                             Performance Audit Report\n\n\n\n\n                    SBA\'s Lender Loan Reporting Process \n\n                     has Systemic Reporting Issues and \n\n                         Data Control Weaknesses \n\n\n\n\n\nFebruary 23, 2012                                           Report Number 12-08\n\x0c                                  u.s. Small Business Administration\n                                      Office Of Inspector General\n                                       Washington, D.C. 20416\n\n\n                                                                                       REPORT TRANSMITIAL\n                                                                                         REPORT No. 12-08\nDATE:           February 23, 2012\n\nTo: \t           Jeanne Hulit\n                Associate Administrator for Capital Access\n\n                Paul T. Christy \n\n                Chief Operating Officer \n\n\nSUBJECT: \t      SBA\'s Lender Loan Reporting Process has Systemic Reporting Issues and Data Control\n                Weaknesses\n\nThis report presents the results of our Audit of Control and Security of SBA\'s Fiscal Transfer Agent and\nReporting Process. Our audit objective was to determine the adequacy of SBA\'s controls and oversight\nover the development, security, and operation of certain information technology systems and processes\nperformed by Colson Services Corporation.\n\nWe request you provide your management decision for each recommendation on the attached SBA\nForm 1824, Recommendation Action Sheet, by March 26, 2012 (30 days after final report date). Your\ndecision should identify the specific actions taken or planned for each recommendation and the target\ndates for completion.\n\nWe appreciate the courtesies and cooperation of the Office of the Capital Access and Office of Chief\nInformation Officer during this audit. If you have any questions concerning this report, please call me at\n(202) 205-7390 or Jeffrey Brindle, Director, Information Technology and Financial Management Group at\n(202) 205-7490.\n\n\n\n\n/S/ original signed.\nJohn K. Needham\nAssistant Inspector General for Auditing\n\x0cWhat DIG Audited                                            What DIG Found\nSince 1989, Colson Services Corporation has performed       SBA\'s Lender Loan Reporting process had systemic\ncertain functions for SBA in the 7(a) loan program and      reporting issues and data control weaknesses that\nmore recently in the 504 loan program. These functions      resulted in an estimated $956 million overstatement of\ninclude processing certain automated transactions and       unpaid loan balances with an estimated $5.2 million effect\ndeveloping new information technology systems. Our          on program subsidy. Lenders frequently did not report\naudit objective was to determine the adequacy of SBA\'s      the status and balance of their loans to Colson. Less than\ncontrols and oversight over the development, security,      one percent of SBA lenders were responsible for over half\nand operation of certain information technology systems     of identified errors and omissions. Further, Colson and\nand processes performed by Colson Services Corporation      SBA systems perform different error checking routines,\n(Colson).                                                   making error correction untimely and labor intensive. The\n                                                            loan error volume grew by 63.5 percent from April 2006\nWe reviewed Colson\'s performance and SBA\'s oversight        to March 2011, reaching 44,327 errors.\nof:\n     \xe2\x80\xa2 \t the processing of lenders\' loan reports on the     The SBA provided limited oversight of the 504 FMLP\n          status and balance of all SBA 7(a) loans, using   system development and did not ensure it met SBA\'s\n          SBA Form 1502, Guaranty Loan Status and           quality standards.\n          Remittance Report, including error corrections;\n     \xe2\x80\xa2 \t the design, development, and SBA oversight of      We also found that SBA systems were being operated by\n          the 504 First Mortgage Loan Pooling (FMLP)        Colson without ensuring their compliance with Federal\n          system;                                           security requirements.\n     \xe2\x80\xa2 \t the security and independent audit requirements\n          of Colson\'s systems; and                          Finally, secondary market late penalty fee collection\n     \xe2\x80\xa2 \t guaranty fee collection and reconciliations.       needs improvement. The SBA was due $2.5 million in late\n                                                            penalty fees, most of which are at least 180 days\n                                                            outstanding.\n\n               Five Year Loan Error Growth\n\n 45 000\n                                                            DIG Recommendations\n                                                            We made 11 recommendations, the most significant\n 40000\n                                                            being to: 1) correct loan balances contributing to the $5.2\n                                                            million subsidy overstatement; 2) collect $2.5 million in\n 35 000\n                                                            outstanding late penalty fees; 3) ensure that system\n                                                            development projects adhere to SBA quality standards for\n 30000\n                                                            systems development projects; and 4) ensure that\n                                                            systems are authorized to operate prior to being put into\n 25000\n                                                            production. Management agreed with our\n                                                            recommendations except for the recommendation to\n 20000\n                                                            collect the $2.5 million in outstanding late penalty fees.\n\n 15000\n                                                            Actions Taken\n 10000                                                      The SBA initiated a special project to address weaknesses\n                Apr 2006                M ar 2011           in the 1502 reporting process prior to issuance of a draft\n                                                            of this report.\n\nFigure 1. Loan Error Growth from April 2006 to March 2011\n\x0cTable of Contents\nIntroduction ................................................................................................................................1 \n\n\n   Objectives ........................................................................................................................................... 1 \n\n\n   Background ......................................................................................................................................... 1 \n\n\nResults ........................................................................................................................................3 \n\n\n   Finding: SBA Management has not Adequately Addressed Systemic Data Control Weaknesses within \n\n   the 1502 Reporting Process ................................................................................................................. 3 \n\n\n      Lenders omit loans from the Form 1502 Report ............................................................................... 3 \n\n\n      Lenders report loans incorrectly on the Form 1502 .......................................................................... 4 \n\n\n      SBA and Colson do not use the same edit check criteria ................................................................... 4 \n\n\n      Conclusion ....................................................................................................................................... 5 \n\n\n      Management Actions Taken and In Process ..................................................................................... 5 \n\n\n      Recommendation(s) ........................................................................................................................ 5 \n\n\n   Finding: The SBA did not Provide Adequate Oversight of the First Mortgage Loan Pooling System \n\n   Development.......................................................................................................................................7 \n\n\n      Conclusion .......................................................................................................................................7 \n\n\n      Recommendation(s) ........................................................................................................................ 7 \n\n\n   Finding: The SBA Did Not Ensure that Colson\'s Operation of SBA Systems Met Federal Security \n\n   Requirements ...................................................................................................................................... 9 \n\n\n      Conclusion ....................................................................................................................................... 9 \n\n\n      Recommendation(s) ........................................................................................................................ 9 \n\n\n   Finding: The SBA has not Adequately Enforced Collection of Secondary Market Late Penalty Fees ..... 11 \n\n\n      Conclusion ..................................................................................................................................... 12 \n\n\n      Recommendation(s) ...................................................................................................................... 12 \n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL RESPONSE .................................... 13 \n\n\nAppendix I: Scope and Methodology ........................................................................................14 \n\n\x0cAppendix III: Lenders Reporting at Least 100 Loans in Error between October 2010 - March \n\n2011 ..........................................................................................................................................16 \n\n\nAppendix IV: Summary Table of 1502 Errors .............................................................................17 \n\n\nAppendix V: Sample of SBA Loans in Error .................................................................................18 \n\n\nAppendix VI: SBA 1502 Edits not Effectively Utilized by Colson ..................................................20 \n\n\nAppendix VII: Use of Computer-Processed Data and Prior Coverage .........................................21 \n\n\nAppendix VIII: Agency Comments ..............................................................................................22 \n\n\x0c         Introduction\n         This audit examines the Small Business Administration\'s (SBA\'s) oversight of information\n         technology systems and fee recovery processes employed by one of its contractors, Colson\n         Services Corporation (Colson). Colson provides services to assist the SBA\'s administration of its\n         business loan programs. The audit identified data control weaknesses, concerns with SBA\'s\n         oversight of system development for a new program, areas of improvement in certain fee\n         collection processes, and other internal control weaknesses.\n\n         Objectives\n         Our audit objective was to determine the adequacy of SBA\'s controls and oversight over the\n         development, security, and operation of certain information technology systems and processes\n         performed by Colson.\n\n         Background\n         Colson has been SBA\'s Fiscal Transfer Agent (FTA)l for the SBA\'s 7(a) guaranty loan program\n         through successive contracts since 1989. Colson also acts as the Central Servicing Agent (CSA)\n         for the SBA\'s 504 Development Company Program. Colson is compensated by the collection of\n         fees (e.g., issuance, service, transfer, origination, etc) that it earns on various program-related\n         transactions. The FTA earns additional revenue from its role as an intermediary between\n         lenders that sell the guaranteed portions of SBA-backed loans (either as individual guarantees or\n         in loan pools) to investors on SBA\'s secondary market. Colson earns float interest from this role.\n         Float interest is earned by receiving interest between the date payments are received from\n         lenders and the date payments are made either to the investors (known as ilregistered holders")\n                                                 2\n         or to the SBA\'s Master Reserve Fund \xe2\x80\xa2\n\n         To ensure the integrity of the guaranteed loan portfolio, the SBA mandates that lenders with\n         outstanding 7(a) loans report the status and balance of all SBA 7(a) loans in their portfolio using\n                                                                         3\n         SBA Form 1502: Guaranty Loan Status and Remittance Form . The SBA requires the submission\n         of this form, even when there are no payment activities from the borrowers for the subject\n         month. Since 1996, Colson has collected the Form 1502 data from lenders on the SBA\'s behalf.\n         To facilitate the processing of this data, at the beginning of each month, Colson receives an SBA\n         file to establish the population of loans expected to be reported during the month. The\n         information Colson receives from lenders is then compared to SBA data using a series of edit\n         checks (i.e. error checks) to ensure accuracy and completeness.\n\n\n\n1 The FTA\'s principal duties are to facilitate the settlement of the first sale of a loan; record current and all prior\n  registered holders (investors) of a loan; track loan payment histories; collect payments from lenders on sold\n  loans; remit payments to investors; forward all servicing requests from a lender to the investor and forward the\n  response back to the lender; notify SBA of delinquent loans; and handle SBA and lender repurchases from the\n  investor.\n2 The Master Reserve Fund was created to facilitate operation of loan pooling in SBA\'s 7(a) secondary market\n\n  program by holding both the principal paid from borrowers and due to investors, as well as accumulated interest\n  earnings.\n3 This form also serves as the medium for lender submission of 7(a) loan program guarantee fees and payments for\n\n  loans sold on the secondary market.\n                                                            1\n\x0c        Colson notifies lenders of discrepancies identified by the edit checks so revisions can be made.\n        Near the 20th of each month, Colson transmits loan information to the SBA to update the Loan\n        Accounting System (LAS). During the same month, the FTA transmits additional information to\n        the SBA as lenders correct identified reporting errors or submit 1502 updates. Prior to using any\n        of the loan data from Colson, the SBA runs a series of edit checks to ensure that the information\n        is valid. The loan data is then updated into the SBA\'s Electronic Loan Information Processing\n        System (ELlPS). The SBA\'s ELiPS is the system of record for loan accounting and subsidy\n        calculations.\n\n        Multiple OIG audits and other reviews conducted between 2005 and 2011 identified the need\n        for the Agency to:\n\n        \xe2\x80\xa2        implement consistent edit check criteria with Colson;\n        \xe2\x80\xa2        identify and address lenders that had consistent 1502 reporting errors;\n        \xe2\x80\xa2        develop and enforce penalties on lenders who do not report on their loans; and\n        \xe2\x80\xa2        provide adequate training to lenders.\n\n        In 2007, the SBA re-solicited the FTA contract and, in response to previous OIG\n        recommendations, included contract provisions to improve the quality of 1502 data and\n        reporting. Upon contract award in 2008, responsibility for 1502 data error correction was\n        transferred from SBA field offices and servicing centers to the FTA.\n\n                                                                                                       4\n        The SBA\'s implementation of provisions of the American Recovery and Reinvestment Act\n        required modifications to Colson systems and operations as SBA\'s FTA for the 7(a) Loan Program\n        and CSA for the 504 Development Company Program. Specifically, section 503 of the American\n        Recovery and Reinvestment Act authorized SBA to place a Federal guaranty on a pool of first\n        mortgages associated with loans made under its 504 Development Company Program. In June\n        2010, the SBA modified its CSA contract with Colson for $2 million to include development of an\n        SBA system to service 504 first mortgage loan pools. This application is referred to as the 504\n        First Mortgage Loan Pooling System.\n\n\n        Review of Internal Controls\n\n                                                   s\n        The SBA\'s Standard Operating Procedures provides guidance on the implementation and\n        maintenance of effective systems of internal control as required by Federal Managers Financial\n        Integrity Act of 1982. Accordingly, the Office of Management and Budget (OMB) Circular A\xc2\xad\n            6\n        123 , provides further guidance for effective systems of internal control to improve the\n        accountability and effectiveness of Federal programs and operations by establishing, assessing,\n        correcting, and reporting on internal controls. Circular A-123 also provides that processes for\n        conducting management\'s assessment of the effectiveness of internal controls over financial\n        reporting should be based on widely recognized internal control standards.\n\n\n\n\n4 On February 17, 2009, in response to the economic crisis, the American Recovery and Reinvestment Act was\n  enacted, establishing new SBA programs as well as changes to existing SBA programs.\n5 SBA SOP 00 02: Internal Control Systems\n\n6 OMB Circular A-123, "Management\'s Responsibility for Internal ControL"\n\n                                                       2\n\x0c           We identified internal control weaknesses as they relate to the audit objective. Specifically, the\n           Office of Capital Access (OCA) did not adequately ensure that 7(a) loan transactions exchanged\n           between Colson and the SBA received consistent system edits and related error correction\n           procedures. In addition, OCA management did not adequately address previous OIG audit and\n           external consultant recommendations intended to improve the quality of 1502 data and\n           reporting. Further, the SBA was not compliant with its system development guidance and did\n           not adhere to Federal security requirements relating to system authorizations.\n\n           We will provide a copy of the final report to the senior officials responsible for internal controls\n           in the Office of the Chief Financial Officer and Office of Capital Access.\n\n           Nature of Limited or Omitted Information\n           No information has been omitted due to confidentiality or sensitivity, nor were there limitations\n           to information on this audit.\n\n          Results\n\n               Finding: SBA Management has not Adequately Addressed Systemic Data Control\n                              Weaknesses within the 1502 Reporting Process\n\n           Between October 2010 and March 2011, a monthly average of 42,000 loans, or approximately\n           13% of the 320,000 active 7(a) loans, did not have their outstanding balance and status updated\n           in SBA\'s ELiPS. Approximately 20,000 of these loans were not updated for this entire six-month\n           period.\n\n           Over the past five years, the number of loans in error per month increased from approximately\n                                    7\n           27,000 to 44,327 loans \xe2\x80\xa2 This occurred because some lenders did not report all of their loans,\n           some reports contained unresolved errors, and edit checks used by the SBA and Colson were\n           not consistent. Further, Colson was not effectively complying with its contractual requirement\n           to correct errors and the SBA was not enforcing the requirement. As a result, 7(a) loan unpaid\n           principal balances and subsidy re-estimates have been overstated and fees due to the SBA may\n           not be collected. Specifically, a consultant performed a study on behalf of the Office of the\n           Chief Financial Officer, which determined that the unpaid principal balance of the SBA\'s 7(a)\n           portfolio was overstated by $956 million. Because of overstating the amount of unpaid loans in\n           its portfolio by nearly $1 billion, the SBA\'s estimate of the money needed to subsidize projected\n                                                                   8              9\n           losses in the program was overstated by $5.2 million as of April 2011 .\n\n           Lenders omit loans from the Form 1502 Report\n           Lenders did not report about 17,000 loans each month (four to five percent of the\n           approximately 320,000 loans in the active 7(a) loan portfolio) to Colson via the SBA Form 1502.\n\n\n7   Monthly loans in error include unreported loans.\n8   The estimates disclosed in the consultant\'s study as being based on term loans included both term loans and\n    loans with revolving lines of credit.\n9   Annually, under the Credit Reform Act, SBA must assess the adequacy of its loan subsidy balances. Consequently\n    the $5.2 million subsidy cost overstatement may result in excess funds being transferred from the 7(a) subsidy\n    loan program account as well as overstate SBA\'s lending costs.\n                                                          3\n\x0c        Loans that are not reported by lenders may overstate the loan balance and adversely affect SBA\n        fee collections. For loans not sold on the secondary market, the ongoing guaranty fee is\n        remitted with the Form 1502 every month an interest payment is received. Therefore, if a\n        lender does not report the status of an unsold loan and remit the fee on the Form 1502, Colson\n        cannot determine whether or not an interest payment was made to the lender and thus,\n        whether the ongoing guarantee fee is due to the SBA.\n\n        Between October 2010 and March 2011, 20 lenders consistently did not report some or all of\n                                     10                                  ll\n        their loans on the Form 1502 . In March 2011, these 20 lenders , which represent less than 1\xc2\xad\n        percent of lenders reporting to Colson, were responsible for 53-percent of the 15,533\n        unreported loans.\n\n        Lenders report loans incorrectly on the Form 1502\n        Approximately four to five percent of the remaining active 7(a) loans that are reported monthly\n        by lenders to Colson contained at least one error. These errors included reporting loans that\n        were paid in full or purchased and reporting outstanding loan balances that exceeded the loan\n        approval amount. On average, Colson, in coordination with SBA lenders, corrected only 10\xc2\xad\n        percent of the loans in error prior to submitting the 1502 information to the SBA. Between\n                                                   12\n        October 2010 and March 2011, 17 lenders had consistent 1502 reporting errors. In March\n        2011, these 17 lenders, which represent less than 1-percent of lenders reporting to Colson, were\n                                                                                          13\n        responsible for 48-percent of the loans with reporting errors identified by Colson \xe2\x80\xa2 If an error is\n        not corrected, the current loans status and outstanding balance is not updated in ELlPS, thereby\n        resulting in inaccurate data.\n\n        SBA and Colson do not use the same edit check criteria\n        Inconsistent business rules used by the SBA and Colson systems to perform edit (i.e., error)\n        checks on 1502 data resulted in an unresolved backlog of erroneous data. Between October\n        2010 and March 2011, twelve error conditions identified by the SBA\'s system accounted for 96\xc2\xad\n        percent of the total errors affecting 7(a) loans. However, because Colson used different\n        business rules to check for errors, the FTA was unable to identify and address many of the errors\n        noted by the SBA. 14 Further the SBA did not provide Colson with the information or\n        requirements necessary to correct the errors. We performed limited sampling of errors in 1502\n             1S\n        data and found that Colson either did not or was unable to take corrective action for seven\n        SBA edit checks, which accounted for approximately 35% of monthly SBA identified 1502\n                16\n        errors.\n\n\n\n\nlOThese 20 lenders did not report at least 100 loans on the Form 1502 for each month. \n\n11 See Appendix II for the list of lenders that did not consistently report their loans on the Form 1502. \n\n12 Eleven of these lenders also did not consistently report some or all of their loans to Colson. \n\n\n13 See Appendix III for the list of lenders that had consistent Form 1502 reporting errors. \n\n\n14 For a detailed breakdown of errors affecting SBA loans see Appendix IV: Summary Table of 1502 Errors. \n\n\n15 For details on our sampling methodology see Appendix I: Scope and Methodology. \n\n\n\n\n16For detailed information on our sample results see Appendix V: Sample of SBA Loans in Error and Appendix VI:\n SBA 1502 Edits Not Effectively Utilized by Colson.\n                                                         4\n\x0cThe OMB Circular A-123, requires controls to ensure that transactions are properly authorized\nand processed accurately and that data is valid and complete. It also requires that controls,\nsuch as edit checks, be established within Agency systems to verify inputs and outputs. Further,\nthis guidance requires agencies to continuously monitor the effectiveness of internal control.\nCircular A-123 also provides that personnel should be responsible for periodic reviews,\nreconciliations or comparisons of data and periodic assessments should be integrated as part of\nmanagement\'s continuous monitoring of internal control.\n\nTo correct deficiencies in the 1502 reporting process that were identified by the OIG in 2005 and\nsubsequent internal control reviews, the SBA included provisions within the FTA contract to\nimprove the quality of 1502 data and reporting. These requirements included:\n\n\xe2\x80\xa2\t      the implementation of a daily electronic loan information exchange with SBA, and\n\xe2\x80\xa2\t      the requirement for Colson to resolve 99-percent of the correctable errors identified by\n        SBA edit criteria, or 97-percent of the affected loan accounts within one month.\n\nThe SBA did not enforce these provisions, however, since it did not provide Colson with system\nbusiness rules necessary to support them. Additionally, SBA management directed Colson\'s\nefforts towards other program priorities. These priorities included systems development and\nmodifications necessary to enact SBA programs established in the American Recovery and\nReinvestment Act. Finally, management stated that staffing shortages within the Office of\nFinancial Assistance contributed to these ongoing 1502 deficiencies.\n\nConclusion\nAgency management had not adequately addressed systemic control weaknesses that prevent\nthe updating of loans in ELiPS. As a result, 1502 error rates had increased from previous years.\nThis put the quality and reliability of SBA\'s 7(a) portfolio data at risk, overstated subsidy\nestimates, and exposed the SBA to potential financial losses from uncollected ongoing\nguarantee fees. Specifically, a consultant performed a study on behalf of the Office of the Chief\nFinancial Officer that determined that the unpaid principal balance of SBA\'s 7(a) portfolio was\noverstated by $956 million. This created an estimated $5.2 million subsidy re-estimate\noverstatement as of April 2011, which may result in excess funds being transferred from the 7(a)\nsubsidy loan program account to the 7(a) financing account and overstate SBA\'s lending costs.\n\nManagement Actions Taken and In Process\nIn response to our findings, the SBA has initiated a special project to address identified\nweaknesses in the 1502 reporting process.\n\nRecommendation(s)\nIn order to improve the conditions affecting SBA\'s 1502 reporting process, we recommend that\nthe Associate Administrator, Office of Capital Access:\n\n1. \t    Research and correct loans that have not been reported within the ELiPS for a significant\n        length of time (i.e. 6 months or more) which contribute to subsidy overstatements\n        currently estimated at $5.2 million.\n\n\n                                             5\n\x0c2. \t    Utilize the lender exception detail reports to identify and address lenders that\n        consistently do not report loans and issue corrective action plans.\n3. \t    Utilize the lender exception detail reports to identify lenders with consistent 1502 errors\n        and develop training programs that will significantly reduce their error rates.\n4. \t    Identify SBA business rules that affect most loans and provide them in a useable format\n        that Colson can integrate into relevant systems.\n5. \t    Develop a plan to oversee and enforce FTA contractual requirements for the daily\n        electronic loan information exchange and error correction.\n\nAgency Comments\n\nRecommendation 1\nThe SBA fully agreed with our recommendation. The OCA has initiated a project team to\ndevelop and implement a lender outreach program focused on changing lender behavior. The\ngoal of this program is to develop greater lender awareness and connect greater lender\ncompliance with program privileges by establishing an enforcement role within the SBA\'s Office\nof Credit Risk Management (OCRM). The SBA\'s proposed actions are responsive to\nrecommendation 1.\n\nRecommendation 2\nThe SBA fully agreed with our recommendation. The lender exception detail reports have been\ncirculated to OCRM each month since August 2010 to focus attention on those lenders\nrepeatedly identified with unreported or incorrect and unresolved reporting errors. The SBA\'s\nproposed actions are responsive to recommendation 2.\n\nRecommendation 3\nThe SBA fully agreed with our recommendation. The SBA has a plan in place to build greater\nawareness within the lender community on proper completion of the Form 1502. The SBA is\nutilizing exception reports to identify lenders and researching Agency resources that could best\naddress corrective efforts with these lenders. The SBA\'s proposed actions are responsive to\nrecommendation 3.\n\nRecommendation 4\nThe SBA fully agreed with our recommendation. The SBA 1502 process improvement project\nincludes consolidating SBA validation codes at Colson. Development and implementation is\nunderway and the Agency expects results by the first quarter of calendar year 2012. The SBA\'s\nproposed actions are responsive to recommendation 4.\n\nRecommendation 5\nThe SBA fully agreed with our recommendation. The SBA has incorporated oversight functions\ninto their improvement project and technical team meetings between the FTA and SBA systems\ninformation staff are underway. The SBA\'s proposed actions are responsive to recommendation\n5.\n\n\n\n\n                                            6\n\x0c               Finding: The SBA did not Provide Adequate Oversight of the First Mortgage Loan\n                                         Pooling System Development\n\n        The SBA\'s oversight of the Colson 504 First Mortgage Loan Pooling (FMLP) system development\n        project was not adequate to ensure that the project met the standards in SBA\'s System\n        Development Method (SDM)17. Specifically, the SBA did not provide adequate project\n        management and oversight, which would include the review, approval, and retention of project\n        documentation and deliverables. SBA officials overseeing the project cited a lack of awareness\n        of the SDM requirements as the reason for these omissions.\n\n                              18\n        The SBA procedures require the SBA\'s SDM or its equivalent to be used on all information\n        technology (IT) system development projects. The SBA\'s SDM is a phased approach that\n        requires the sponsoring official to assign a project manager who is accountable for ensuring that\n        phase deliverables are completed, reviewed, and approved before moving forward to a\n        successive phase. This helps ensure that key issues are identified and addressed as early as\n        possible, and limits major modifications to the original project.\n\n        The SBA also did not participate in system acceptance testing as required by the SDM. Per the\n        SDM, system acceptance testing emphasizes the proper functioning of the system from the\n        user\'s point of view and demonstrates whether the program meets the user\'s written set of\n                                19\n        measurable objectives . The SDM provides classes of system acceptance testing that should be\n        executed prior to system implementation including: requirements validation tests, functional\n        tests, operational tests, interface tests and security tests.\n\n        Conclusion\n        Because SBA management did not provide required project oversight or participate in system\n        acceptance testing, the SBA does not have adequate assurance that the FM LP system fulfills the\n        program\'s needs. Additionally, SBA management does not have adequate assurance that Colson\n        performed all system development activities specified in the contract. Finally, there is an\n        increased risk that SBA would be unable to migrate, operate, and maintain the system in a new\n        environment as system documentation has not been obtained by the SBA.\n\n        Recommendation(s)\n        We recommend that the Associate Administrator, Office of Capital Access:\n\n        6. \t      Retrieve and archive all FMLP system development documentation.\n        7. \t      Conduct a post implementation review of the FMLP project deliverables to ensure\n                  Colson adhered to its SDLC and that all project documentation and deliverables meet\n                  acceptable quality standards.\n\n17 The SBA SDM provides a structured and integrated approach to acquiring IT solutions including planning,\n  developing and operating those solutions.\n18 SOP 90-47 (2): Automated Information Systems Security Program\n\n19 The primary focus of the tests should be on translation errors, which are errors made in the process of\n\n  transforming objectives and requirements of the system into design specifications and, finally, into an\n  operational system.\n                                                          7\n\x0cWe recommend that the Associate Administrator, Office of Capital Access in coordination with\nthe Chief Information Officer:\n\n8. \t   Ensure that all future internal and external OCA system developments adhere to SBA\n       SDM standards for project management and development.\n\nAgency Comments\n\nRecommendation 6\nThe SBA fully agreed with our recommendation. The SBA will work retrieving and archiving\nFMLP system documentation. The SBA\'s proposed actions are responsive to recommendation 6.\n\nRecommendation 7\nThe SBA fully agreed with our recommendation. The SBA will conduct a post implementation\nreview of the FMLP system. The SBA\'s proposed actions are responsive to recommendation 7.\n\nRecommendation 8\nThe SBA fully agreed with our recommendation. However, the SBA did not propose actions that\nwere fully responsive to the recommendation. Specifically, the SBA did not provide details on\nthe measures it will take to ensure that all future internal and external OCA system\ndevelopments adhere to SBA SDM standards for project management and development.\n\n\n\n\n                                          8\n\x0c             Finding: The SBA Did Not Ensure that Colson IS Operation of SBA Systems Met Federal\n                                           Security Requirements\n\n           Colson was operating SBA-owned systems without SBA ensuring their compliance with Federal\n           security requirements. Specifically, since 2007, the SBA had not assessed or authorized Colson\'s\n           FTA system operations in accordance with regulatory requirements. Additionally, the SBA did\n           not complete a system control assessment and authorization prior to deployment of the FM LP\n           system, which was a significant change to the existing Colson 504 loan servicing system.\n\n                               20\n           The OMB guidance requires that major system applications be authorized to operate prior to\n           being put into production and system security controls to be reviewed at least every three\n           years. Additional guidance from the National Institute for Standards and Technology (NIST)21\n           details the authorization process and further requires systems to be re-assessed when\n           significant changes are made to an existing system or unplanned applications are introduced.\n           The goal of the system controls assessment and authorization process is to evaluate security\n           controls of a system, determine the risk posed by operating the system, authorize a system for\n           operation, and monitor controls after a system is placed into production. This process is an\n           important element of the Agency\'s IT security and risk management.\n\n           Due to an oversight by SBA management, the FTA system was not reassessed or reauthorized\n           for operation when the previous authorization expired in 2007. Additionally, due to the need to\n           introduce new statutorily mandated programs, the SBA focused on implementing the FMLP\n           system and originating and servicing 504 first mortgage loan pools rather than completing the\n           system authorization.\n\n           Conclusion\n           The SBA has allowed Colson to operate SBA systems without adequate knowledge of all system\n           risks and vulnerabilities. As a result, management did not ensure system security was\n           commensurate with the risk and magnitude of the harm resulting from the unauthorized access,\n           use, disclosure, disruption, modification, or destruction of information.\n\n           Recommendation(s)\n           We recommend that the Associate Administrator, Office of Capital Access, in coordination with\n           the Chief Information Officer:\n\n           9. \t    Complete the review of security controls and authorization of Colson FTA and CSA\n                   systems.\n           10. \t   Ensure that currently operated systems are authorized for operation and meet the\n                   requirements of applicable NIST guidance and that any new system meets this\n                   requirement before becoming operational.\n\n\n\n\n20   0MB Circular A-130 Appendix III "Security of Federal Automated Information Resources" \n\n21   NIST 800-37, Rev.l"Guide for Applying the Risk Management Framework to Federal Information Systems" \n\n                                                        9\n\x0cAgency Comments\n\nRecommendation 9\nThe SBA fully agreed with our recommendation and completed the review, authorization, and\naccreditation of the FTA and CSA systems hosted by Colson on August 3,2011.\n\nRecommendation 10\nThe SBA fully agreed with our recommendation. However, the SBA did not propose actions that\nwere fully responsive to the recommendation. Specifically, the SBA did not provide details on\nhow it will ensure that new systems are authorized for operation and meet the requirements of\napplicable NIST guidance before becoming operational.\n\n\n\n\n                                          10\n\x0c                Finding: The SBA has not Adequately Enforced Collection of Secondary Market Late\n                                                 Penalty Fees\n\n           Over the last five years, Colson, as SBA\'s FTA, has collected approximately $798 million of\n           ongoing guarantee fees from lenders. Limited testing of Colson\'s collection activities\n           determined that controls were generally effective. However, we determined that improvement\n           is needed regarding the collection of secondary market late penalty fees from lenders.\n           Specifically, $2.5 million in secondary market late penalty fees were due to the SBA and were\n           not collected within reasonable timeframes.\n\n          The SBA\'s Standard Operating Procedures 22require lenders to complete and sign SBA Form\n          1086: Secondary Participation Guarantee Agreement for each SBA 7(a) guaranteed loan they sell\n          to investors on the secondary market. The form requires lenders to remit payments on\n          secondary market loans to the FTA by the third calendar day of every month, or the next\n          business day if the third is not a business day. When payments on secondary market loans are\n          not submitted to Colson by the time they are due to the investor, Colson will pay the investor\n                            23\n          from a trust fund established for that purpose. For any payment not received by the FTA on\n          the second business day after the due date, the lender is subject to the following late payment\n          penalties:\n\n           \xe2\x80\xa2\t       a late payment penalty to SBA (collected by FTA), which is the greater of $100 or five\xc2\xad\n                    percent of the unremitted amount (subject to a maximum penalty of $5,000 per\n                    month);\n           \xe2\x80\xa2\t       a late payment penalty to FTA equal to the interest on the unremitted amount at the\n                    rate provided in the Note, less the rate of Lender\'s servicing fee; and\n           \xe2\x80\xa2\t       a late payment penalty to FTA calculated at a rate of twelve-percent per annum, on the\n                    unremitted amount.\n\n          The form also states that failure by the lender to pay such penalty and collection fees within ten\n          business days of receipt of a bill for such fees may constitute a significant violation of the rules\n          and regulations of the secondary market. Finally, the form states that the FTA and the SBA\n          reserve the right to withhold these penalty fees from settlement of any future guaranteed\n          interest sale, or any payment made by the SBA or FTA to the lender.\n\n          While Colson has billed lenders approximately $8 million in late penalty fees over the last five\n          years, unpaid amounts have increased from $1.7 million in 2006 to approximately $3 million in\n          2011. We determined that SBA\'s portion of these outstanding penalty fees was approximately\n          $2.5 million, most of which exceeded 180 days. Management was not adequately monitoring\n          outstanding secondary market late penalty fees due to a lack of resources within OFA needed to\n          collect small outstanding amounts.\n\n\n\n\n22   SOP 50 10 5(C): Lender and Development Company Loan Programs\n23   The Master Reserve Fund\n                                                       11\n\x0cConclusion\nBecause the SBA did not dedicate resources to collect these outstanding amounts,\napproximately $2.5 million in funds were not collected.\n\nRecommendation(s)\nWe recommend that the Associate Administrator, Office of Capital Access:\n\n11. \t   Collect the $2.5 million in secondary market late penalty fees by either billing lenders or\n        offsetting against any guarantee purchase amounts.\n\nAgency Comments\n\nRecommendation 11\nThe SBA did not agree with our recommendation to collect the $2.5 million in secondary market\nlate penalty fees. The SBA does not view the outstanding penalty fees as a material item in the\ncontext of total fees collected that requires the dedication of limited staff resources and time to\ncollect. The OIG believes that the $2.5 million in secondary market late penalty fees is an\noutstanding amount owed to the Agency that should be collected through direct billing or\noffset.\n\n\n\n\n                                            12\n\x0cAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL RESPONSE\nOn October 12, 2011, we provided a draft of this advisory memorandum to the Associate\nAdministrator for Capital Access and the Chief Information Officer. On January 9, 2012, the\nOffice of Inspector General received SBA\'s final comments. The Acting Associate Administrator\nfor Capital Access generally agreed with all of the recommendations. A summary of\nmanagement\'s comments and our response follows.\n\nAgency Comments\n\nManagement agreed that SBA\'s Lender Loan Reporting process had systemic reporting issues\nand stated that it has made improving the process a top priority for the OCA and has already\nresolved two of the eleven recommendations. Management, however, was concerned that our\nreferences to the $5.2 million subsidy re-estimate overstatement did not clearly identify this\nvalue as an estimate and included enough context. Management also stated that the audit\nreport did not adequately disclose whether the analysis conducted in 2006 included unreported\nloans.\n\n\nOIG Response\n\nIn response to the Agency\'s comments, we added additional language in the executive summary\nto clarify that the $5.2 million subsidy amount was an estimated figure. We also revised the\nreport to provide additional information regarding the composition of loans used to derive the\nestimate. Additionally, the OIG added language within the report to disclose that the analysis of\nloan errors conducted in 2006, which identified approximately 27,000 loans in error, included\nunreported loans.\n\n\nActions Required\n\n\nPlease provide your management decision for each recommendation on the attached SBA\nForms 1824, Recommendation Action Sheet, within 30 days from the date of this report. Your\ndecision should identify the specific action(s) taken or planned for each recommendation and\nthe target date(s) for completion.\n\nWe appreciate the courtesies and cooperation of the Small Business Administration during this\naudit. If you have any questions concerning this report, please call me at (202) 205-7390 or Jeff\nBrindle, Director, IT and Financial Management Group at (202) 205-7490.\n\n\n\n\n                                            13\n\x0cAppendix I: Scope and Methodology\nTo accomplish our objective we reviewed contractor performance and SBA\'s oversight of contracts with\nColson Services Corporation (Colson) for Fiscal Transfer Agent (FTA) and Central Servicing Agent (CSA)\nservices. For the FTA contract, we reviewed activities related to 1502 data collection, error correction\nand reconciliation, guaranty fee collection and reconciliation, secondary market transactions, SBA Form\n159 data collection, and summary and variance reporting requirements. For the CSA contract, we\nreviewed SBA\'s oversight of the design and development of the FMLP system. Finally, we reviewed the\nsecurity and independent audit requirements of Colson\'s systems including system Certification and\nAccreditations, Statement of Accounting Standards 70 (SAS 70) reports for Colson and its parent and\nSBA\'s Plans of Action and Milestones covering Colson system vulnerabilities.\n\nOur audit methodology consisted of interviews with program officials and Colson personnel, review and\nanalysis of SBA contracts with Colson, as well as relevant reports and system documentation.\nAdditionally, we performed analytical procedures on data extracts obtained from Colson and the SBA for\nthe period of October 2010 through March 2011 and conducted limited sampling of 1502 report errors.\n\nWe conducted this audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\nSampling\n\nOur analysis of SBA error conditions affecting 7(a) loans identified that 12 error codes were responsible\nfor approximately 96-percent of the total errors each month. In order to further understand the\nconditions that result in lIerrors" identified by SBA, we selected a judgmental sample of 36 loans, 3 per\nerror code, that were affected by these 12 errors. This sample was sufficient to identify whether the\nerror was the result of an unreported loan, a condition that Colson had knowledge of but was unable to\ncorrect, or exclusive to SBA edit criteria.\n\nTo select our judgmental sample, we performed a series of data queries to select and insert records into\nnew monthly tables from an extract of SBA\'s 1502 data. The table of records for the month of March\n2011 was selected and sorted by the error and the first three loans affected by a singular error from the\ntop 12 error codes were selected for our sample. Sampling only loans with a single error code was\nperformed to facilitate the isolation and identification of the condition resulting in the error. Loans\naffected by error codes 1044 and 1196 were only observed in combination with other error codes. In\nresponse, we sampled loans with error code combinations of 11044, 1006\' and 11042, 1196\' as these\ncombinations were the most common in both instances. This sample was then submitted to Colson\nrequesting that the following information be provided:\n\n    1. \t Whether the loan was reported on the 1502 by the lender during the month.\n    2. \t Whether the loan was reported on the 1502 by the lender and identified in error by Colson.\n    3. \t Whether the identified error(s) on a given loan were corrected by Colson prior to the final 1502\n         data submission to SBA.\n\nFor the results of this test, see Appendix V: Sample of SBA Loans in Error.\n                                                     14\n\x0c  Appendix II: Lenders Not Reporting at Least 100 Loans between October 2010 - March\n  2011\n\n  Table 1. Lenders Not Reporting at Least 100 Loans between October 2010 - March 2011\n\n\n\n                                              Loans           Loans      Loans      Loans      Loans      Loans\n                                               Not             Not        Not        Not        Not        Not\n                                             Reported        Reported   Reported   Reported   Reported   Reported\nLENDER NAME                                   Oct-10          Nov-10     Dec-10     Jan-11     Feb-11     Mar-11\nBANCO POPULAR DE PUERTO RICO                    221            218        242        245        240        246\nBANCO POPULAR NORTH AMERICA                    1,550           104        104        100       1,421       100\nBRANCH BANKING & TRUST CO.                      116            111        118        127        135        146\nCAPITAL ONE FSB                                 271            272        273        300        304        300\nCHARTER ONE BANK N.A.                           178            158        167        542        178        187\nCITIZENS BANK                                  1,372          1,395      1,391      1,383      1,415      1,409\nCITIZENS BANK PENNSYLVANIA                      279            292        296        305        314        319\nCITIZENS BANK OF MASSACHUSETIS                  188            192        193        190        375        387\nCITIZENS BANK OF RHODE ISLAND                   114            116        113        115        116        113\nDORAL FEDERAL SAVINGS BANK                      104            104        104        104        104        103\nFIRST COMMONWEALTH BANK                         131            125        124        120        114        111\nHSBC BANK USA                                   220            241        244        249        253        253\nHUNTINGTON NATIONAL BANK                        101            105        121        100        130        127\nINNOVATIVE BANK                                 229            414        369        515        495        675\nJPMORGAN CHASE BANK, NA                         527            489        522        529        558        324\nMANUFACTURERS & TRADERS TRUST                   254            200        219        206        216        200\nSOVEREIGN BANK MID ATlANTIC                     101           1,833       100        104       1,894      1,922\nTD BANK, NA                                     508            491        491        505        508        511\nWASHINGTON MUTUAL BANK, FA                      115            131        125        126        329        124\nWELLS FARGO BANK N.A.                           392            417        434        633        676        735\nTOTAL                                          6,971          7,408      5,750      6,498      9,775      8,292\n\n\n\n  Source: Colson Services Corporation\n\n\n\n\n                                                        15\n\x0c  Appendix III: Lenders Reporting at Least 100 Loans in Error between October 2010 \xc2\xad\n  March 2011\n  Table 2. Lenders Reporting at Least 100 Loans in Error between October 2010 - March 2011\n\n                                                 Loans         Loans       Loans       Loans       Loans       Loans\n                                               Reported      Reported    Reported    Reported    Reported    Reported\n                                                In Error      In Error    In Error    In Error    In Error    In Error\nLENDER NAME                                      Oct-10       Nov-10      Dec-10       Jan-ll      Feb-ll     Mar-ll\nBANCO POPULAR DE PUERTO\nRICO                                             142           157         129         138         160         164\nBANCO POPULAR NORTH AMERICA                      157           118         197         182         202         144\nBANK OF AMERICA N.A.                             610          1,139        722         864         885         871\nCAPITAL ONE FSB                                  843           766         823         815         836         299\nCHARTER ONE BANK N.A.                            199           183         190         177         208         206\nCITIZENS BANK                                    736           755         825         788         833         845\nCITIZENS BANK PENNSYLVANIA                       435           433         441         440         445         444\nCITIZENS BANK NA                                 175           172         165         145         169         170\nCITIZENS BANK NEW HAMPSHIRE                      273           274         292         298         304         320\nCITIZENS BANK OF CONNECTICUT                     104           108         110         100         115         111\nCITIZENS BANK OF MASSACHUSETIS                   479           478         486         521         447         459\nCITIZENS BANK OF RHODE ISLAND                    239           237         248         269         254         264\nFIRST CITIZENS F/K/A TEMECULA                    168           167         173         171         136         169\nJPMORGAN CHASE BANK, NA                          208           181         176         205         182         144\nMANUFACTURERS & TRADERS TRUST                    258           279         242         244         214         216\nPNC BANK, NATIONAL ASSOCIATION                   319           212         217         345         204         767\nWELLS FARGO BANK N.A.                            351           340         307         883         298         289\nTOTAL                                           5,696         5,999       5,743       6,585       5,892       5,882\n\n\n\n  Source: Colson Services Corporation\n\n\n\n\n                                                        16\n\x0cAppendix IV: Summary Table of 1502 Errors\n\nTable 3. Summary of 1502 Errors\n\n\n                                             Oct-10   Nov-10    Dec-10   Jan-ll   Feb-ll   Mar-ll              %of\n  SBA Error                                  39,326   41,233    39,969   43,863   43,107   44,286             Total\n    Code           SBA Error Code Text        loans    loans     loans    loans    loans    loans    Total    Errors\n1006           Lender not reported           17,544   19,403    17,828   22,336   22,994   19,559   119,664     32%\n               Guarantee Report status\n1044           code is mandatory             11.239   13,759    12,559   15,805   15,218   13,421    82,001     22%\n               Outstanding Balance\n               cannot decrease as\n1030           Principal Payment is 0         8,875    8,923     9,096    8,707    7,759   11,855    55,215     15%\n               If Guaranty Service Status\n               Code is 1,2,3,4 Current\n1037           Loan Status must be 1 or 2     7,821    7,490     7,585    7,031    6,845    6,978    43,750     12%\n               Outstanding Balance plus\n               Total Amount Undisbursed\n               cannot exceed Current\n1042           Loan Approval Amount           2,699    2,699     2,677    2,732    2,559    3,133    16,499      4%\n1029           Loan has been Purchased        1,113    1,215     1,484    1,273    1,358    1,691     8,134      2%\n               Outstanding Balance must\n               be less than or equal to\n               Current Loan Approval\n1196           Amount                         1,406    1,371     1,342    1,415    1,320    1,306     8,160      2%\n               First Disbursement Date\n               cannot be null when Loan\n1048           Disbursed Indicator is Y         783     951      1,033    1,203      935    1,064     5,969      2%\n               Total Amount Undisbursed\n               must be 0 for a loan in\n1050           Liquidation                    1,092    1,135     1,020      963      894    1,004     6,108      2%\n               Current loan status must\n               be 1 (Approved - Fully\n               Undisbursed) , 2 (Disbursed\n               - Regular Servicing) or 3\n1011           (Disbursed -In-Liquidation)      552     985      1,091      805    1,013    1,089     5,535      1%\n               If Guaranty Service Status\n               Code is 9 or 0, Total\n               Amount Undisbursed must\n               equal Current Loan\n1033           Approval Amount                  720     784       744       879    1,070      765     4,962      1%\n               If Guaranty Service Status\n               Code is 1,2,3,4 Outstanding\n               Balance must be greater\n1035           than 0                           757     670       716       774      598      621     4,136      1%\nRemaining\nErrors                                        2,775    2,986     2,849    2,529    2,776    2,636    16,551      4%\nTotal Errors                                 57,376   62,371    60,024   66,452   65,339   65,122   376,684\n\n\n\nSource: SBA 1502 Data Warehouse information\n\n\n\n\n                                                           17\n\x0c       Appendix V: Sample of SBA Loans in Error\n       Table 4. Sample of SBA loans in Error\n\n\n                                                                                               Loan\n                                                                                           reported on    Loan reported\n                                                                                             1502 by       on 1502 and       Error\nSample      SBA Loan     SBA Error                                                          lender to      identified in   Corrected\n Item        Number        Code            SBA Error Message(s) for loans in error            Colson     error by Colson   by Colson\n  1       1689785006     1006        Lender not reported\n  2       1720975003     1006        Lender not reported\n  3       1943406000     1006        Lender not reported\n  4                                  Current loan status must be 1 (Approved - Fully\n                                     Undisbursed) , 2 (Disbursed - Regular Servicing) or       X\n          2041145004     1011        3 (Disbursed -In-Liquidation)\n  5                                  Current loan status must be 1 (Approved - Fully\n                                     Undisbursed) , 2 (Disbursed - Regular Servicing) or       X                X\n         4327845007      1011        3 (Disbursed -In-Liquidation)\n  6                                  Current loan status must be 1 (Approved - Fully\n                                     Undisbursed) , 2 (Disbursed - Regular Servicing) or       X\n          9347654002     1011        3 (Disbursed -In-Liquidation)\n   7      [Ex. 4, 6]     1029        Loan has been Purchased                                   X\n   8       [Ex. 4]       1029        Loan has been Purchased                                   X\n   9       [Ex. 4]       1029        Loan has been Purchased                                   X\n  10                                 Outstanding Balance cannot decrease as Principal\n                                                                                               X                X\n          1803545009     1030        Payment is 0\n  11                                 Outstanding Balance cannot decrease as Principal\n                                                                                               X\n          2256355005     1030        Payment is 0\n  12                                 Outstanding Balance cannot decrease as Principal\n                                                                                               X\n          9147504009     1030        Payment is 0\n  13                                 If Guaranty Service Status Code is 9 or 0, Total\n                                     Amount Undisbursed must equal Current Loan                X\n          3607465000     1033        Approval Amount\n  14                                 If Guaranty Service Status Code is 9 or 0, Total\n                                     Amount Undisbursed must equal Current Loan                X\n         4313825000      1033        Approval Amount\n  15                                 If Guaranty Service Status Code is 9 or 0, Total\n                                     Amount Undisbursed must equal Current Loan                X\n         4341205010      1033        Approval Amount\n  16                                 If Guaranty Service Status Code is 1,2,3,4\n                                                                                               X                X\n          2191446002     1035        Outstanding Balance must be greater than 0\n  17                                 If Guaranty Service Status Code is 1,2,3,4\n                                                                                               X                X\n         4197205004      1035        Outstanding Balance must be greater than 0\n  18                                 If Guaranty Service Status Code is 1,2,3,4\n                                                                                               X                X\n          6507933003     1035        Outstanding Balance must be greater than 0\n  19                                 If Guaranty Service Status Code is 1,2,3,4 Current\n                                                                                               X\n          1999106003     1037        Loan Status must be 1 or 2\n  20                                 If Guaranty Service Status Code is 1,2,3,4 Current\n                                                                                               X\n          6206544007     1037        Loan Status must be 1 or 2\n  21                                 If Guaranty Service Status Code is 1,2,3,4 Current\n                                                                                               X\n          6586044000     1037        Loan Status must be 1 or 2\n  22                                 Outstanding Balance plus Total Amount\n                                     Undisbursed cannot exceed Current Loan Approval           X                X\n          1919076008     1042        Amount\n\n\n\n\n                                                                 18\n\x0c                                                                                           Loan\n                                                                                       reported on    Loan reported\n                                                                                         1502 by       on 1502 and       Error\nSample      SBA Loan    SBA Error                                                       lender to      identified in   Corrected\n Item        Number       Code            SBA Error Message(s) for loans in error         Colson     error by Colson   by Colson\n   23                               Outstanding Balance plus Total Amount\n                                    Undisbursed cannot exceed Current Loan Approval        X                X             X\n         4241145008     1042        Amount\n  24                                Outstanding Balance plus Total Amount\n                                    Undisbursed cannot exceed Current Loan Approval        X                X\n         4382135009     1042        Amount\n  25                    1044,       Guarantee Report status code is mandatory;\n         1771774006     1006*       Lender not reported\n  26                    1044,       Guarantee Report status code is mandatory;\n         1864765009     1006*       Lender not reported\n  27                    1044,       Guarantee Report status code is mandatory;\n         1951005002     1006*       Lender not reported\n  28                                First Disbursement Date cannot be null when Loan\n                                                                                           X\n         1847505010     1048        Disbursed Indicator is Y\n  29                                First Disbursement Date cannot be null when Loan\n                                                                                           X\n         3476615007     1048        Disbursed Indicator is Y\n  30                                First Disbursement Date cannot be null when Loan\n                                                                                           X\n         4075825004     1048        Disbursed Indicator is Y\n  31                                Total Amount Undisbursed must be 0 for a loan in\n            [Ex. 4]                                                                         X\n                        1050        Liquidation\n  32                                Total Amount Undisbursed must be 0 for a loan in\n           [Ex. 4, 6]                                                                       X\n                        1050        Liquidation\n  33                                Total Amount Undisbursed must be 0 for a loan in\n           [Ex. 4, 6]                                                                       X\n                        1050        Liquidation\n  34                                Outstanding Balance plus Total Amount\n                                    Undisbursed cannot exceed Current Loan Approval\n                                                                                           X                X\n                        1196,       Amount; Outstanding Balance must <= Current\n         1397645008     1042*       Loan Approval Amount\n  35                                Outstanding Balance plus Total Amount\n                                    Undisbursed cannot exceed Current Loan Approval\n                                                                                           X                X\n                        1196,       Amount; Outstanding Balance must <= Current\n         1431805002     1042*       Loan Approval Amount\n  36                                Outstanding Balance plus Total Amount\n                                    Undisbursed cannot exceed Current Loan Approval\n                                                                                           X                X\n                        1196,       Amount; Outstanding Balance must <= Current\n         4514505005     1042*       Loan Approval Amount\n\n\n\n       Source: SBA 1502 Data Warehouse information and supplemental information provided by Colson\n       Services Corporation\n\n       This appendix provides the results of a sample of SBA identified 1502 errors on 36 loans and whether\n       Colson Services Corporation identified the loans as: 1) not reported by lenders, 2) reported in error by\n       lenders, or 3) corrected by Colson Services Corporation.\n\n\n\n\n                                                              19\n\x0cAppendix VI: SBA 1502 Edits not Effectively Utilized by Colson\n\nTable 5. SBA 1502 Edits not Effectively Utilized by Colson\n\n     SBA Edit                                   Error Message                                  Percent of Total\n      Check                                                                                      SBA Errors\n       1011       Current loan status must be 1 (Approved - Fully Undisbursed), 2                    1%\n                  (Disbursed - Regular Servicing) or 3 (Disbursed -In-Liquidation)\n       1029       Loan has been purchased                                                            2%\n       1030       Outstanding balance cannot decrease as principal payment is 0                      15%\n       1033       If guaranty service status code is 9 or 0, total amount undisbursed must           1%\n                  equal current loan approval amount\n       1037       If guaranty service status code is 1,2,3 or 4, current loan status must be         12%\n                  lor 2\n       1048       First disbursement date cannot be null when loan disbursed indicator is            2%\n                  V\n       1050       Total amount undisbursed must be 0 for a loan in liquidation                       2%\n       Total                                                                                        35%\n\n\n\n        Source: SBA 1502 Data Warehouse information and supplemental information provided by\n        Colson Services Corporation\n\n\n\n\n                                                         20\n\x0cAppendix VII: Use of Computer-Processed Data and Prior Coverage\n\nUse of Computer-Processed Data and Prior Coverage\n\nWe were provided several documents and reports containing computer-processed data. The majority of\nthese were Microsoft Excel documents created by Colson to support contractual requirements for their\nFTA responsibilities. These reports included summarized lender 1502 exception reports, 7(a) Monthly\nDashboard reports, and outstanding secondary market late penalty fee reports.\n\nWe were also provided SBA 1502 Data Warehouse information for the period covering October 2010\nthrough April 2011. We conducted detailed data analyses of 1502 records to determine common errors\nand error counts and compared them to summary reports generated by SBA to monitor loan records\nthat do not update in ELiPS. We performed limited tests of these reports and 1502 Warehouse\ninformation and determined that the data was reasonably complete, authentic and accurate.\n\n\nPrior Coverage\n\nMultiple audits and reviews have been conducted between 2005 and 2011 related to the 1502 loan\nreporting process and SBA\'s oversight of Colson operations. The SBA OIG reports and other review\nreports used in this audit include:\n\nSBA OIG Reports\n    \xe2\x80\xa2 \t Review of the 1502 Reporting Process, December 9, 2005, Report Number 06-07.\n    \xe2\x80\xa2 \t Loan Classifications and Overpayments on Secondary Market Loans, March 26, 2008, Report\n        Number 08-09.\n    \xe2\x80\xa2 \t Audit of SBA\'s FY 2010 Financial Statements - Management Letter, December 15, 2010, Report\n        Number 11-05.\n\nSBA OIG reports can be accessed at http://www.sba.gov/office-of-inspector-genera l.\n\nOther Reports\n   \xe2\x80\xa2 \t Kearney & Company: Summary of the 1502 Project, August 24, 2006\n   \xe2\x80\xa2 \t FI Consulting: 1502 Reporting Process Analysis, August 13, 2010\n   \xe2\x80\xa2 \t FI Consulting: 1502 Reporting Process Analysis, July 14, 2011\n\n\n\n\n                                                  21\n\x0cAppendix VIII: Agency Comments\n\n\n    RESPONSE TO "AUDIT OF CONTROL AND SECURITY OF SBA\'S FISCAL TRANSFER AGENT"\n\nImproving the 1502 process is a top priority for the Office of Capital Access (OCA). The OCA is leading an\nintra-agency team to identify core issues and improvement opportunities to remedy lender loan\nreporting in the 7(a) program. These should be resolved upon execution of the project plan over the\nnext six months.\n\nOCA has reviewed the Office of Inspector General (IIOIG") draft report titled IIAudit of Control and\nSecurity of SBA\'s Fiscal Transfer Agent" dated October 13, 2011 (the lIaudit")24.\nIn discussions that we have had with the OIG, we understand that the OIG\'s reference to a report\nprepared for the CFO by an outside third party contractor (referred to from this point as the IICFO\ncontractor report")25, was only to determine the financial impact of reported errors on the subsidy\nestimates. We believe reference to the CFO contractor report as a means to develop a numerical point\nestimate should be disclosed in the audit so that the reader knows is aware of the limited use of the\nanalysis and can determine on their own if other aspects of the analysis have merit. The objective of the\naudit is to determine the adequacy of SBA\'s controls and oversight over the development, security, and\noperation of certain information technology systems and processes performed by the agency\'s procured\ncontractor serving as the Fiscal Transfer Agent (FTA) for SBA\'s secondary market for SBA 7(a) loans and\nas Central Servicing Agent (CSA) for SBA\'s 504 loan program.\n\nOIG has issued eleven recommendations following its review, three of which require input from the\nOffice of Chief Information Officer. The comments below address the report contents in general and\nrecommendations for action that have been made to the Associate Administrator for Capital Access.\n\nOCA\'s response to the audit is coordinated with the format of the audit report so, for example,\ncomments to statements made in the IIExecutive Summary" of the audit can be found under the header\nIIExecutive Summary" in this document.\n\n\n\nRESPONSE TO RECOMMENDATIONS\n\nExecutive Summary\n\nIn the Executive Summary, the OIG stated that it found that the lender loan reporting process had issues\nand weaknesses that resulted in a $956 million overstatement of unpaid loan balances with a $5.2\nmillion effect on subsidy estimates.\n\n         Response: The summary purports to disclose the overstatement as a matter offact instead of the\n         CFO contractor report estimate.\n\n24 In this document, the term "audit" shall refer both to the draft audit report and the audit activity underlying the\n  report.\n25 Small Business Administration 1502 Reporting Process Analysis, 14 July 2011 by FI Consulting.\n\n                                                           22\n\x0c        The subsequent statement that the overstatement results in a $5.2 million effect on subsidy\n        estimates lacks context unless it is compared with the re-estimate total provided in the same\n        CFO contractor report $26.24 million. This results in a 0.54% impact on the overall subsidy\n        estimate.\n\nWe would expect this disclosure to be contained in the audit.\n\nResponse to Specific Recommendations\n\nSeven of the eleven recommendations center on improving lender reporting behavior, introducing daily\ndata transfers, and aligning business validation rules that exist separately at the SBA and at Colson\nServices Corp, our fiscal and transfer agent. The OCA is leading an intra-agency team to identify core\nissues and improvement opportunities to remedy lender loan reporting in the 7(a) program. These\nshould be resolved upon execution of the project plan over the next six months.\n\nTwo of the eleven have been resolved separate from the report, and three others require input from\ninformation systems development staff.\n\n\n\nFirst Finding - SBA Management has not Adequately Addressed Systemic Data Control\nWeaknesses within the 1502 Report Process\n\nThe statement is made in the second paragraph that   1t \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2   Colson is not complying with its contractual\nrequirement to correct errors ..."\n\n        Response: The fiscal and transfer agent contract with Colson sets performance measures based\n        on correctable errors that are received back from lenders issued exception notices. If lenders do\n        not respond to lender exception notifications, Colson remains obligated to return all accounts\n        received at the beginning of a monthly report cycle. In this report cycle framework, it is not\n        possible for Colson to adjust incorrect account information arbitrarily.\n       OCA has also investigated the differences in what Colson deems as a correct account, and what\n       SBA considers as remaining in error. We have engaged SBA stakeholders in developing uniform\n       validation rules that will be implemented in 2012 to eliminate this divergence from occurring.\n        This exercise has been initiated by SBA and Colson within the last 90 days, and SBA is tracking\n        this as a priority project in Capital Access.\nIn addition, the finding is based on increases in the number of unreported and uncorrected data errors\nrelated to SBA loan balances in the 7(a) program.\n\n        Response: The analysis of loan error increases considers two discrete points in time and\n        establishes a ratio accordingly. The audit does not disclose whether the analysis conducted in\n        2006 included unreported loans as they are now in 2011. Nor does the audit look at the change\n        in the portfolio composition and the flow of accounts in and out of the portfolio between the two\n        time periods. To that end, SBA presents the following\n\n\n\n                                                    23\n\x0c      Loan Error Rate Increase\n\n      March 2011 Loans in Error                                              44,327\n     April 2006 Loans in Error                                               27,111\n           Reported Increase in Loan Error Rate                               63.5%\n\n\n\n      Number of Loans in Portfolio at Sep 30 2005: \t                         265773\n\n\n                      # of Loan      Loans Removed from Active       # of Loans\n      FY             Approvals               Portfolio              Outstanding\n    II\'"\n      2006                97,291 \t                         70,204           292,860\n    II\'"\n      2007                99,607 \t                         71,459           321,008\n    II\'"\n      2008                69,437 \t                         71,050           319,395\n    II\'"\n      2009                41,289 \t                         61,122           299,562\n    II\'"\n      2010                47,000                           62,384           284,178\n                                                          336,219\n      Number of Loans in Portfolio at Sep 30 2010:\n\n\n     Total Number of Accounts in Portfolio that                             276,746 \n\n           Involved Change in Status, 2006 - Apr 2011 \n\n     Total Accounts That Impacted Active Portfolio \n\n\n\n      Loan Error Rate - Revised \t                                             7.23%\n\n   When viewed in this context, the loan error rate is 7.23%, not 63.5%, and should be the baseline\n   for process improvement. OCA respectfully disagrees with this element of the finding as\n   presented.\n\nResponse to Recommendations\n1. \t Research and correct loans that have not been reported within the Electronic Loan Information\n     Processing System (ELlPS) for a significant length of time (i.e. 6 months or more) which\n     contribute to subsidy overstatements currently estimated at $5.2 million.\n\nResponse: The Office of Capital Access has initiated a project team to develop and implement a\nlender outreach program focuses on changing lender behavior in order to comply with reporting\nstandards. The goal is to develop greater lender awareness of loan reporting impact on SBA\nstakeholders, connect greater lender compliance with program privileges (PLP authority, secondary\nmarket participation, waiver from SBA right of offset) by establishing an enforcement role within the\nOffice of Credit Risk Management (OCRM) for those lenders with repeated errors in Form 1502\nreport filings.\n\n2. \t Utilize the lender exception detail reports to identify and address lenders that consistently do\n     not report loans and issue corrective action plans.\n                                                    24\n\x0c   Response: These reports have been circulated to OCRM each month since August 2010 to focus\n   attention on those lenders repeatedly identified with unreported or incorrect and unresolved\n   reporting errors. We expect risk-based reviews to include corrective action recommendations to\n   improve lender loan reporting.\n\n   3. \t Utilize the lender exception detail reports to identify lenders with consistent 1502 errors and\n        develop training programs that will significantly reduce their error rates.\n\n   Response: As mentioned above, we have a plan in place to build greater awareness within the\n   lender community on proper completion of the Form 1502. We utilize the exception report to\n   identify lenders, and are looking into which Agency resource could best address corrective efforts\n   with these lenders.\n\n   4. \t Identify SBA business rules that affect most loans and provide them in a useable format that\n        Colson can integrate into relevant systems.\n\n   Response:   Our 1502 process improvement project includes consolidating SBA validation codes at\n   Colson. Development and implementation is underway and we expect to see results by the first\n   quarter of calendar year 2012.\n\n\n   5. \t Develop a plan to oversee and enforce FTA contractual requirements for the daily electronic\n        loan information exchange and error correction.\n\n   Response: This effort is incorporated into our improvement project with technical team meetings\n   between the FTA and SBA systems information staff underway.\n\n\nSecond Finding - SBA did not Provide Adequate Oversight of the First Mortgage Loan Pooling\nSystem Development\n\n   Response to Recommendations\n   6. \t Retrieve and archive all FMLP system development documentation.\n\nResponse: SBA will work on retrieving and archiving this documentation.\n\n\n\n   7. \t Conduct a post implementation review of FMLP project deliverables to ensure Colson adhered\n        to its SLDC and all project artifacts meet acceptable quality standards.\n\nResponse: SBA agrees and will conduct a post implementation review.\n\n\n\n   8. \t Ensure that all future internal and external OCA system developments adhere to SBA SDM\n        standards for project management and development.\n\nResponse: SBA agrees.\n\n                                                   25\n\x0cThird Finding - SBA Did Not Ensure That Colson\'s Operation of SBA Systems Met Federal\nSecurity Requirements\n\nThe reports states that systems owned by SBA and operated by Colson were operating without SBA\nensuring the system compliance with Federal security requirements.\n\n         Response: SBA has worked hand-in-hand with the Office of the Chief Information Officer since\n         early 2011 to obtain system security accreditation and authorization. This authorization and\n         accreditation was secured for these systems in August 2011. This extensive effort included the\n         system elements associated with the FMLP program was being completed at the same time of\n         this review. We would recommend the report reflect this as a subsequent event that has been\n         addressed. OCA agrees with the finding and has since corrected the finding.\n    Response to Recommendations\n\n    9.   Complete the review of security controls and authorization of Colson FTA and CSA systems.\n\n    Response: The review, authorization and accreditation of the FTA and CSA systems hosted by\n    Colson were completed August 3, 2011.\n\n    10. Ensure that currently operated systems are authorized for operation and meet the requirements\n        of applicable NIST guidance and that any new system meets this requirement before becoming\n        operational.\n\n    Response: SBA agrees.\n\nFourth Finding - SBA has not Adequately Enforced Collection of Secondary Market Late\nPenalty Fees\n\nThe draft report estimates that over the last five years, SBA has not collected $2.5 million in late fees\nthrough Colson.\n\n         Response: This estimate of uncollected fees should be viewed in the context of all fees collected\n         in the 7(a) program over this same period. See below:\n\n         Fee Collection\n\n\n         Reported Collection Deficiency                                      2,500,000\n         Total Fees Collected, FY2006 - March 2011                        798,000,000\n\n         Fees Oustandingj Fees Collected                                        0.313%\n\n\n         OCA considers the recommendation to devote resources to collect late fees to be immaterial in\n         relation to total fee collection activity.\n\n\n\n                                                     26\n\x0cResponse to Recommendations\n\n11. Collect the $2.5 million in secondary market late penalty fees by either billing lenders or\n    offsetting against any guarantee purchase amounts.\n\nResponse: The Office of Capital Access does not view this as a material item and does not agree\nwith the recommendation to dedicate limited staff resources and time to collect secondary market\nlate penalty fees.\n\n\n\n\n                                                27\n\x0c'